Most websites are vulnerable to this, because they use a GET request to initiate logout. I don't know why logout links came in fashion: the operation is definitely idempotent, and thus should be POST-ed.

yes, you wouldn't be able to put a POST in a forum post here .. but you could on any of the XSS links.. that's really not a solution. i don't know why the idea of POST being a security feature came in fashion..

Yes the POST issue, i can also post from my desktop :)
so maluc is right it's silly to assume that it is safer then GET.
some scripts check on this, but this is easy to omit by just passing the whole QUERY_STRING along, or just variables as: &submit=submit (seems popular to check on which is pretty silly).

A POST request is somewhat harder to trigger than GET request (not automatically, anyway). Thus, more secure. Not totally secure, but more secure.

If tricking users into POST'ing data is still a problem, just add a nonce to the logout form. Would absolutely murder caching, but would effectively require an XSS exploit to finish off. For something that's just an annoyance, I think changing it to POST would suffice.

Actually Post method is exploitable just like GET. All you have to do is to put some url in image, and script which is behind that url can do post request... Using this method to exploit this kind of bug even gives you more control.

The solution for this will using POST AND a UNIQUE, GENERATED ONE TIME TOKEN, which is the way to mitigate and other CSRF!!!

Its quite ironic that the forum which deals with this common security issues, doesn't implement the solutions its discussions contain.

http://rafelivgi.blogspot.com
Aspect9 Founder & Chief Security Architect
------------------------------------------
My job is to assess not assassinate
You can spend your life reading what others write or you can spend your life writing for others to read, choose your destiny!

Personally I don't care if sla.ckers has CSRF issues. Its not like rsnake or id are storing my banking information for me on the site. Not to mention who gives a damn if I mysteriously get logged out. If you are that paranoid about CSRF on this site...then view it in Lynx. My 2 cents =o)